"I'm thinking there's probably a wealth of information that just got tucked into your pocket," Norton says. "Something that we'd like to get our hands on."

Easy for law enforcement officers to say, but today's phones have more in common with a personal computer than they do with, say, the contents of someone's pants pockets, as the state of Texas memorably argued.

The courts have offered mixed opinions as to whether a warrant is needed to view the contents of someone's phone. This lack of a "bright line" is increasingly problematic as smartphones have become a convenient, pocket-sized data center that can reveal plenty of information that wouldn't normally be accessible without a warrant.

The NPR story deals only with access granted by warrants, but it does lead off with another Detective Norton quote which points out how officers will attempt to separate the ignorant from their (possibly incriminating) evidence.

Once he's seized a phone, Norton says, he often has to return to the owner to ask for help.

"Maybe you've established a rapport and you're getting along with this person," Norton says. "We'll reach out to that person and say, 'Hey, your phone's locked. We'd like to inspect it. We'll probably be getting a warrant. Would you give us your password?' "

Refusing to hand over a password shouldn't seem to be a problem, but like the issue listed above, the courts have been unclear as to whether the Fifth Amendment's protections against self-incrimination extends to passwords. This could lead to obstruction charges or contempt of court for the phone's owner.

Just getting a warrant doesn't necessarily make everything OK, either. There's a ton of non-relevant data on any given smartphone, all of which can easily be accessed once the phone is unlocked. Narrowly-written warrants that set limits on what officers can and can't look at are a partial solution, but one that few law enforcement agencies are likely to follow.

Blindly diving into the contents of someone's smartphone exposes a whole lot of information, and if officers aren't exactly sure where this incriminating data is located, they'll probe around until they can find it. Armed with just enough "belief and information" to be dangerous, they'll easily be able to make the case that all contents are "relevant" until proven otherwise. This obviously raises privacy concerns, but again, there's no specific protection in place for these contents, which some courts have argued contain no "expectation of privacy" thanks to constant "checkins" with third party providers and services.

Not that the lack of a warrant or permission will necessarily prevent the phone from being searched. (That "problem" can always be dealt with later in the courtroom…)

Companies such as Guidance Software and Cellebrite sell products to law enforcement that "image" smartphones. The products can pull data off in bulk for use as evidence. BrickHouse Security in New York sells products like this for iPhone and Android. CEO Todd Morris says the handset manufacturers don't support this, so it's a constant effort to keep the forensic software up to date.

As Morris notes, cellphone companies aren't cooperating in providing back doors for law enforcement to access phones without warrants. So, like our very own NSA, these companies use exploits to crack phones for curious cops.

These phone-copying systems rely heavily on what hackers call "exploits," or vulnerabilities in the phones' operating systems that can be used to get around the password or encryption.

All in all, Apple's phones are more secure than Android handsets. But either way, having to go through the warrant process can mean weeks to months of waiting (if the handset needs to be returned to the manufacturer) for the release of "rescued" data. (Courts have been more reluctant to force defendants to turn over passwords, seeing this as more of a clear Fifth Amendment violation.) Not surprisingly, this turnaround time is considered unacceptable, hence the arms race of private company vs. private company to gain (and maintain) control of a smartphone's contents.

Even considering the oft-abused Third Party Doctrine, it would seem that a warrantless search of a smartphone would be a Fourth Amendment violation. There's just too much information stored on the average smartphone to be compared to anything found on a person during a normal search. And, as a New York law student recently asked Supreme Court Justice Antonin Scalia, isn't searching someone's computer roughly equivalent to their "effects," Fourth Amendment-wise? For all intents and purposes, a smartphone is a portable computer, loaded with a person's "effects" and creating a time/date/location "event" every time it pings a cell tower.

Considering how much info can be gathered from a single smartphone, It's little wonder law enforcement wants to peek at arrestees' smartphones, but the courts need to do a bit of catching up to today's cellphone realities. And there needs to be more attention paid to the fact that law enforcement agencies are partnering with private companies to crack phones, apparently without asking for a warrant first.

from the wrong-lessons-learned dept

Lying on his family room floor with assault weapons trained on him, shouts of "pedophile!" and "pornographer!" stinging like his fresh cuts and bruises, the Buffalo homeowner didnít need long to figure out the reason for the early morning wake-up call from a swarm of federal agents.

That new wireless router. He'd gotten fed up trying to set a password. Someone must have used his Internet connection, he thought.

"We know who you are! You downloaded thousands of images at 11:30 last night," the man's lawyer, Barry Covert, recounted the agents saying. They referred to a screen name, "Doldrum."

"No, I didn't," he insisted. "Somebody else could have but I didn't do anything like that."

"You're a creep ... just admit it," they said.

It seems that law enforcement folks now admit that they screwed up, but the "lesson" they're getting out of it seems completely backwards. They're saying the lesson is that you should protect your WiFi router. That may be a good idea for some people, but there are plenty of legitimate reasons for offering an open WiFi connection. Furthermore, as noted, some people don't know how to set up their WiFi security.

But the bigger questions are:

Why is law enforcement sending in a SWAT team for child porn downloads? You could potentially see it in cases of production, but with downloads, can't they just do a standard arrest?

Why didn't they do a simple check beforehand to see if the router was open before bursting into the home with assault weapons and unproven assertions?

How come none of the "cautionary lessons" involve law enforcement folks realizing that they overreacted?

What's really disturbing is that the thrust of the original article is all about how this is a cautionary tale for wireless router owners, rather than a cautionary tale about overaggressive law enforcement.

from the oh-come-on dept

There's all sorts of interesting security research being done out there, but sometimes you just sort of shake your head. A new report has come out that folks with fancy new smartphones that have large touchscreens may face a threat because the smudges left on the screen could indicate passwords. It certainly makes for a good headline... but... seriously? Has this ever happened? Doubtful. How likely is it to happen? It seems exceptionally unlikely. I recognize the importance of exploring different potential security vulnerabilities, but this one seems a bit far-fetched.

from the open-wifi-is-illegal? dept

Germany's top criminal court ruled Wednesday that Internet users need to secure their private wireless connections by password to prevent unauthorized people from using their Web access to illegally download data.

Internet users can be fined up to euro100 ($126) if a third party takes advantage of their unprotected WLAN connection to illegally download music or other files, the Karlsruhe-based court said in its verdict.

"Private users are obligated to check whether their wireless connection is adequately secured to the danger of unauthorized third parties abusing it to commit copyright violation," the court said.

This is backwards in so many ways. First, open WiFi is quite useful, and requiring a password can be a huge pain, limiting all sorts of individuals and organizations who have perfectly good reasons for offering free and open WiFi. Second, fining the WiFi hotspot owner for actions of users of the service is highly troubling from a third party liability standpoint. The operator of the WiFi hotspot should not be responsible for the actions of users, and it's troubling that the German court would find otherwise. This is an unfortunate ruling no matter how you look at it.